Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Aqua released Kube-hunter on Aug.17, and project code is freely available on GitHub. Rather than looking for vulnerabilities inside of container images, Kube-hunter looks for exploitable vulnerabilities in the configuration and deployment of Kubernetes clusters. The project code is open-source and can be run against an organization's own clusters, with additional online reporting capabilities provided by Aqua Security.

"Kube-hunter uses our new open source code," Liz Rice, technology evangelist at Aqua Security, told eWEEK. "It's written in Python and designed to be easy for the community to add more tests or hunters."

Further reading

Aqua Security is a container security platform vendor that launched its first commercial product in May 2016. The company has enhanced its platform over the years, growing from just supporting Docker containers to providing protection for container orchestration systems including Kubernetes.

While Aqua Security has a commercial platform, it has also built a series of open-source tools that help organizations validate different aspects of container security. Among Aqua's open-source tools is microscanner, which scans container images for known vulnerabilities. Microscanner examines the contents of application images and doesn’t look at the setup of Kubernetes, according to Rice.

Another Aqua Security open-source tool is Kube-bench, which runs a series of tests against the Center for Internet Security (CIS) Kubernetes benchmark. Rice said Kube-bench only checks configuration against CIS best practices and doesn’t employ real-world attack vectors to actually test them.

"Kube-hunter is a penetration testing tool, which means it actually tries to penetrate your cluster using methods an attacker might use," she said.

Tests

Many types of risks that penetration testers will often scan for in an engagement are hard-coded or default credentials. Rice said Kube-hunter doesn't look inside container images for that kind of sensitive data, but it can run tests that probe for data leaks. For example, she noted that there is already a test in Kube-hunter that examines TLS certificates for email addresses. Those addresses could be used by an attacker in a phishing attack. Rice added that it's feasible that other tests could be added to Kube-hunter to search for other sensitive data in just the way an attacker might.

Scanning for vulnerable Kubernetes clusters is not a new phenomenon. On June 18, security firm Lacework released a report in which it identified 21,169 publicly facing container orchestration platforms. Security researchers can also simply use the shodan.io search tool to look for publicly accessible Kubernetes clusters. Rice emphasized that what Kube-hunter does is different than a simple shodan search, for a variety of reasons.

"First, it can be deployed inside a pod, so it doesn't only attack your cluster from the outside, but from the inside, simulating what an attack might look like if you've already been compromised," Rice said. "Additionally, running Kube-hunter with the –active parameter will attempt to run exploits that take advantage of the gaps found—for example, extract the build date of Kubernetes when there's an exposed proxy."

By making Kube-hunter open-source, Rice said the goal is to involve the larger security community. She noted that additional developers, whether independent, working for other vendors or within end-user organizations, can add more attack vector tests, improve the existing ones, and test the tool on a wider variety of environments and setups.

"We hope to see a lot of feedback as it's being used, and of course from other developers," Rice said. "As Kubernetes continues to evolve, its configuration will also become more complicated, creating more opportunities for the uninformed to leave gaps."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.